December 9, 2021
The 5×5—The state of cybersecurity in Latin America
On December 6, 2021, Microsoft reported that a Chinese hacking group, dubbed NICKEL, has been targeting large swaths the public and private sector across Latin America. Before Microsoft disrupted its operations, NICKEL had gained and maintained access to numerous targets of economic and traditional intelligence value. The cyber-espionage campaign demonstrates how outside powers have significant interests in Latin America and are keen to gain insights to support efforts such as the Belt and Road Initiative.
While state-linked cyber campaigns are a threat to countries in Latin America, the most frequent and consequential threat to the region remains cybercrime. Financially motivated groups have not only targeted organizations across the continent, primarily with ransomware, but they have also broadened the scope of their operations and have a global reach. Latin American countries are beginning to do more to improve their cyber preparedness, as evidenced by Brazil’s publication of its first national cybersecurity strategy in 2020, but, by and large, their capacity and awareness remain insufficient to counter the panoply of cyber threats to the region.
We asked five experts to provide insights into the current state of cybersecurity in Latin America, how capacity and cooperation could be improved, and what the future holds for the region.
#1 What targeted investments would go furthest in building cyber capacity across Latin America?
Belisario Contreras, cybersecurity and digital transformation expert; former cybersecurity program manager, Organization of American States (OAS):
“Although fifteen countries have adopted a national cybersecurity strategy, there is still much work pending in terms of cyber capacity. The region should follow the success models from, for example, Israel and South Korea, and further develop their cyber industries. This way, the academic and technical community will get more specialized on cyber issues, local businesses will increase their expertise, and governments will have the opportunity to hire and even export the services of local companies. If Latin America builds its cyber capacity, it could offer expanded skills and personnel capabilities to the United States and other developed countries currently in need of cybersecurity. This could also have a positive impact on social and economic issues.”
Alex Crowther, visiting research professor, Florida International University:
“A 2020 Inter-American Development Bank (IADB) and Organization of American States (OAS) study identified a lack of skilled human capital as a major inhibitor. The most effective investment would be to give people from Latin America and the Caribbean access to American schools and other training institutions to learn cybersecurity practices. Educational institutions in the region cannot keep up with demand, as is common around the world. As one successful example, Florida International University in Miami executes continuing education programs specifically designed for working hemispheric professionals taught by distance and in person in both English and Spanish. The second most effective investment would be for cybersecurity organizations to open branch offices in the region. This would provide public and private sector organizations access to professional cybersecurity capabilities and develop local cyber talent to work in the offices.”
Louise Marie Hurel, PhD researcher, Department of Media and Communications | London School of Economics and Political Science (LSE):
“From a policy standpoint, there is a need for cyber capacity-building efforts that can help bridge the gap between technical security experts, civil society, and policymakers. Our effort at Igarapé Institute has been to focus on multistakeholder risk mapping exercises to leverage existing sectorial knowledge about threats with policy recommendations that are rights-respecting and reflective of multistakeholder inputs. Non-state actors, especially civil society organizations, can and have played an important role in tracking developments in national policies. However, there is also a need for the private sector companies working in this field and governments to be more sensitive about how civil society is an integral part of the threat landscape. Human rights defenders should have the capacity to not only engage in the policy discussion but also to have the tools to better protect themselves – independently of whether they work or not on cybersecurity.”
Safa Shahwan Edwards, deputy director, Cyber Statecraft Initiative:
“Investments in education, training and apprenticeship programs would make the most difference in building capacity, closing the cyber skills gap and getting more folks into the cyber talent pipeline. This could be a gamechanger for the both the skills shortage as well as improving public awareness on cyber threats, as the region has been impacted by cybercrime and fraud during the pandemic.”
Carlos Solar, lecturer, Department of Sociology, University of Essex:
“Undoubtedly, more investments in human capital would go the furthest in building cyber capacity across Latin America. Governments should try to create opportunities that bridge education programs with job prospects, for example, encouraging graduates to launch new cybersecurity initiatives such as joint initiatives with public institutions at all levels of government. That would be ideal given the little interest to revamp decaying but data-heavy public bureaucracies. The region is young, entrepreneurial, and, most notably, it has competitive university courses. These must lead to real-world experiences building and managing cybersecurity capacity.”
#2 How are China and Russia shaping the cybersecurity landscape in Latin America?
Contreras: “China and Russia have an influence not only in Latin America but also around the world. China, for example, has been very active in providing loans, infrastructure, and connectivity. On the other side, we have seen Russia giving advice and training to various countries in Latin America. Nevertheless, countries such as Australia, Canada, New Zealand, the United States, the United Kingdom are involved, or becoming more involved, in the region. From a diplomatic point of view, Latin American countries are getting more involved in the discussions of both the First (Disarmament and International Security) and Third (Social, Humanitarian & Cultural) Committees of the United Nations, where both China and Russia have significant political interests. On the First Committee, these countries have been able to successfully influence the outcomes of the Open-Ended Working Group and the last UN Group of Governmental Experts (GGE). Regarding the Third Committee, there is a strong interest in developing a new cybercrime convention. The votes and positions of the Group of Latin America and Caribbean Countries will be of relevance during the negotiations, including those that have already signed or requested adhesion to the Budapest Convention, such as Brazil.”
Crowther: “China and Russia are operating in both government and private sector networks throughout the hemisphere. Realizing this has forced some countries in the region to update their capabilities. Ironically, Chinese and Russian support for Venezuela has really motivated Colombia to develop a significant capability.”
Hurel: “There is a considerable amount of focus, particularly in the United States, United Kingdom, and Europe, on state-sponsored cyber operations from China and Russia. However, most concerns across the region focus on cybercrime, with recent attacks directed against financial institutions. That was the case of REvil ransomware attacks directed against Mexican and Chilean banks earlier this year. There are some advanced persistent threat (APT) groups that operate in the region, targeting specific non-profit organizations or governments, but they are not necessarily state-sponsored attacks from Russia or China. Some examples of these APTs include Spanish-speaking groups such as El Machete and Careto, as well as APT-C-36, FIN11. However, China is a big trade partner with many countries in Latin America and could use cyber capabilities to pressure negotiations. Threat intelligence companies have already reported signs of that kind of activity.”
Shahwan Edwards: “China has engaged in significant trade with countries in Latin America, as well as invested in regional infrastructure—often focused on ports, roads, energy and more. Russia’s engagement in the region is not new and has historically focused on developing relationships with governments that share a taste for leftist policies and populism—Cuba, Venezuela and Bolivia, just to name a few. Nowadays, one can see Russia developing relationships through arms sales and energy investments to maintain its presence in the Western Hemisphere.”
Solar: “Beijing and Moscow meet different needs in the region. China, on the one hand, has become the largest trading partner to many countries in Latin America. This means that technologies and services “made in China” are taking a larger piece of the information and communications technology (ICT) market, from mobile communications to new 5G networks. Russia, on the other hand, has been shown to collaborate with like-minded countries through military-to-military diplomacy. Both countries present a challenge to Washington’s plans for cybersecurity hegemony in the region.”
#3 What level of involvement should the US government have in cybersecurity and cyber conflict in Latin America? Are there countries to prioritize from a cybersecurity standpoint?
Contreras: “Considering the cultural, social, and economic ties between the United States and Latin America, there is a need for the United States to increase its involvement in cyber issues, particularly at the bilateral level. Institutions such as the Cybersecurity and Infrastructure Security Agency, the State Department, the United States Agency for International Development, the Department of Defense, and the National Security Agency, among others, should expand cooperation both at the policy and technical levels to increase cyber information sharing, provide training, and strengthen their relationships with their counterparts in the region. Although, in theory, cyber is a borderless concern and all countries should have equal importance, the United States could prioritize cooperation with countries with geopolitical and trade interests such as Argentina, Brazil, Chile, Colombia, Mexico, and Panama. In parallel, the United States could continue expanding its regional involvement through multilateral and technical mechanisms. Any new agreement signed with the region should include safeguards intended to increase cyber cooperation.”
Crowther: “The United States can help best by assisting Latin American and Caribbean allies and partners in building their cyber capacity. The Departments of Defense, Homeland Security, and Justice already work with partners in the region. More funding for these efforts will continue to improve their governmental cybersecurity but not private sector cybersecurity. The National Institute of Standards and Technology (NIST) Framework has already helped out and is perhaps the most popular framework at use throughout the hemisphere. Diplomatic outreach could also help, as allies and partners in the region can also support the global coalition of the willing in support of internet freedom. For instance, Costa Rica is a member of the Freedom Online Coalition and participated in the UN GGE meeting designed to achieve international cyber norms.”
Hurel: “There are certainly many lessons that can be shared between the United States and Latin America—especially in terms of institutional cyber capacity building, incident response coordination, and cybersecurity awareness campaigns. The United States has already been pushing for different bilateral agreements with countries across the region on cyber defense. Venezuela is perhaps one of the greatest points of tension in US-Latin America relations when it comes to cybersecurity—having recently attributed more than one attack directed against their critical infrastructure to the United States. While cooperation on cyber capacity building is welcome, countries might also be reluctant to engage if the United States takes a more interventionist approach to combat cyber conflicts.”
Shahwan Edwards: “The United States should be an active partner with Latin American states and focus its attentions on cyber diplomacy—more specifically, capacity building. There is an opportunity to be a good neighbor and continue to support regional partners to navigate cyber challenges and help establish national Computer Emergency Response Teams (CERTs). There is also an opportunity for the United States to share best practices and lessons learned to increase connectivity between private industry and government, especially as governments continue to hone their cyber statecraft.”
Solar: “Washington has already initiated a cybersecurity governance relationship with partners in the Americas. Former Secretary of Defense Jim Mattis travelled to the subcontinent and signed cybersecurity agreements with Argentina, Chile, and Brazil. These agreements have led to ongoing bilateral exchanges at the ministerial level with representatives from defense, foreign relations, telecommunications, and other government areas involved in building micro and macro policies towards cybersecurity. Military-to-military diplomacy for cybersecurity is a trend that Washington wants to expand further and counterbalance Beijing and Moscow. It is highly political and dependent on who is in the White House.”
More from the Cyber Statecraft Initiative:
#4 What non-state and/or private actor(s)are the most influential on the cybersecurity of Latin America now? Who will befive yearsfrom nowand why?
Contreras: “Companies such as Amazon, Google, Meta, and Microsoft, are investing in policy development efforts, influencing the political dialogue, and ensuring that their interests are taken into consideration. In the upcoming years, other organizations will follow the same approach, particularly those interested in data protection issues. Organized criminal groups and non-state actors, particularly in countries such as Brazil, Colombia, and Mexico, are starting to shift the way they operate and invest in cyber-criminal operations, which is something that I predict will continue to increase over the next five years.”
Crowther: “The most influential non-state and/or private sector cyber actors in the Western Hemisphere are transnational criminal organizations that are expanding horizontally into cybercrime because it works and is lucrative. Large multinational companies and selected indigenous companies have a certain level of cybersecurity capability. Within five years, the situation will probably be about the same. Short of major investment in the area (which will remain depressed due to the ongoing global pandemic), there will not be any gains in cybersecurity that are not matched by transnational criminal organizations or global cyber actors that commit crimes, such as North Korea, which will both have more resources available than most actors in the Western Hemisphere.”
Shahwan Edwards: “Broadly, private industry is the most influential actor in Latin America at this moment. For starters, private industry is where much of the capacity—and vulnerabilities—lie. Additionally, Latin America’s information technology industry has demonstrated significant growth in recent years and there’s an opportunity for the region to become a resource for nearshore talent.”
Solar: “I believe the usual suspects in the private market will hold their lead in providing both ICT and cybersecurity services. Established software and hardware companies such as IBM and Microsoft are very trusted actors across many businesses and government networks. Nonetheless, I would keep an eye on the accelerated entry of Huawei into the ICT market. Governments find in the Chinese conglomerate a partner ready to invest and create new job opportunities. Cybersecurity in the region is largely connected to development initiatives that go beyond safe access to the Internet.”
#5 Which Latin American countries punch above their weight in cybersecurity?
Contreras: “Although there is still much pending to do, countries such as Brazil, Colombia, Chile, and Mexico have taken the lead in developing their institutional capacities, including the development of laws, policies, and regulations. In addition, there is increased expertise in the private sector, primarily in the financial sector. Nevertheless, countries such as Argentina, Dominican Republic, Ecuador, Panama, and Peru, among others, are also making significant efforts to advance their cyber capabilities.”
Crowther: “According to the cyber maturity model used in the IADB/OAS study, Uruguay has the best score, followed by Chile, Colombia and the Dominican Republic. The second tier is comprised of Argentina, Brazil, Costa Rica, and Mexico. Trinidad and Tobago also scored well. In terms of cyber power (not cybersecurity) Brazil, Chile, Colombia, and Mexico are in the top tier. Brazil experienced both a World Cup and an Olympics, Colombia is under regular cyber assault from adversaries, and the Chilean national bank was abused by North Korean hackers, and Mexico deals with sophisticated transnational criminal organizations. They also have larger economies and populations, which allow them to invest more in cyber training and education.”
Hurel: “Countries in Latin America have been continuously working to enhance cybersecurity, even though sometimes through piecemeal or fragmented approaches. Cybercrime usually ranks higher in terms of capacities than other areas given that many organized crime networks and gangs have increasingly sought to professionalize their activities online. This has led to a focus on capacity development in police forces in Brazil, Colombia, Argentina, among others. Despite political and economic instability in recent years, there has been a rise in the elaboration of national cybersecurity strategies with countries like Colombia publishing more than one version. Brazil on the other hand only published its first national cybersecurity strategy in early 2020 but has since followed with the development of specific strategies, such as its latest one on critical infrastructure protection and artificial intelligence.”
Shahwan Edwards: “Mexico. While Mexico has become a popular target for cybercrime and fraud as connectivity increases, the Mexican government is taking note and reevaluating its approach to cybersecurity and the need for increased collaboration amidst digital transformation. In the Global Cybersecurity Index, Mexico is ranked at fifty-two but is fourth within the Americas, trailing the United States, Canada, and Brazil. One can interpret this as an opportunity for improvement in the development of cyber strategy, policies, and national structures.”
Solar: “It is hard to evaluate countries given their different approaches to cybersecurity. Some have decided to leave cybersecurity to private companies. Others have centralized cybersecurity on government agencies and the military. According to the OAS cybersecurity observatory, most Latin American states are in the early stages of cybersecurity development. For example, there is still a lot to do in Central America and the Caribbean. A small list of countries with already set policies, legal frameworks, institutional capacity, and human capital resources includes Brazil, Uruguay, Colombia, and Chile.”
Simon Handler is a fellow at the Atlantic Council’s Cyber Statecraft Initiative within the Scowcroft Center for Strategy and Security. He is also the editor-in-chief of The 5×5, a series on trends and themes in cyber policy. Follow him on Twitter @SimonPHandler.
The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.
Image: "Trust Your Instincts" by Abraham Pena/CyberVisuals